The new General Data Protection Regulation (GDPR) will come into force on 25 May 2018. GDPR will radically change the way in which data controllers process personal data and expands upon the requirements of the current Data Protection Act 1998.
HR teams are at the heart of processing personal data and are a key player throughout the change. It is essential that HR are aware of the adjustments made by the GDPR and the relevant procedures they must implement in order to remain compliant with the law.
The main areas of adjustment are focused around principles of transparency, erasure and portability of data in a world where online personal data is of increasing value. The GDPR seeks to bring these themes uniformly across EU member states in an attempt to protect personal data more effectively and increase the value of rights available to staff.
One of the most significant changes includes the introduction of a higher standard of consent concerning personal data than under the previous Data Protection rules. HR teams are required to establish an “unambiguous consent” of an individual’s agreement to their personal data being dealt with. This may require HR teams to adapt and review their current policies and procedures on the giving of consent of personal data by being more specific in their wording of employment contracts and other employment documentation. The GDPR introduces the notion that businesses hold the burden of proof to demonstrate that consent was given to hold personal data and that businesses enabled staff to remove their consent easily. This is more onerous as there is no longer an “implied consent”. This requires HR teams to be properly clued up on their responsibilities concerning data!
The risk-based approach to compliance changes the general way in which HR should deal with securing personal data. They must assess the risk of holding certain data in particular forms and consider the potential for data breach under a proactive rather than a reactive system. HR should audit and review the current system for processing and securing data in the run up to the implementation of the GDPR.
The importance of this change is shown in the increased enforcement powers that significantly increase the maximum amount of fines that are applicable to HR data controllers. A 2% – 4% annual worldwide turnover fine for violations relating to internal and external record keeping breaches exemplifies the significance of compliance for HR teams.
Alongside this is a stricter breach reporting process including the requirement for businesses to notify the supervisory authority without any undue delay and preferably within 72 hours. This increases the urgency and level of responsibility within HR teams to maintain compliance with the requirement to report.
The need to comply with data protection rules is at its greatest in the coming months. If you or any member of an HR team would like advice and assistance on identifying and implementing the GDPR changes, please do not hesitate to contact Kevin Barnett or any other member of the Employment Team.